Security Breaches in Higher Education

How Multifactor Authentication Protects Admissions Data

On March 7, 2019, cybercriminals accessed admissions information from three colleges – Grinnell, Hamilton, and Oberlin. After obtaining access to the information, they sent applicants emails holding the nonpublic personally identifiable information, such as birth date, hostage.

The unauthorized access traced back to Slate, a software system that many institutions of higher education use to manage applicant data. The Software-as-a-Service platform, used by over 800 colleges worldwide, transmits emails, texts, and new applications. Slate explained that the breach arose from unauthorized users accessing the colleges’ password-reset systems.

A lack of multifactor authentication for single-sign-on systems allowed the cybercriminals access to the platform.

More than merely a hassle over needing to notify students whose data may have been breached, the cyber attack could put the colleges’ student enrollment at risk. Students worried about data protection and control may choose to attend institutions of higher education who have stronger cybersecurity practices.

Why Protecting Email Matters

On February 27, 2019, Florida Keys Community College announced a data breach arising from unauthorized access to employee email that occurred between May 5, 2018, and November 5, 2018. On October 19, the college discovered suspicious activity. On January 7, 2019, the college confirmed the identities of the people whose data had been compromised. The nonpublic personally identifiable information included name, address, date of birth, Social Security number, passport information, medical information, username, and password.

According to the 2018 Ponemon Cost of a Data Breach Report, the Mean Time to Identify a breach was 197 days, and the Mean Time To Contain was 69 days. Based on the timing above, Florida Keys Community College fared better than some. It took 167 days to identify the suspicious activity and 7 days to contain.

In grading terms, Florida Keys Community College earns a C+ for identification and an A- for incident response.

However, given the information obtained from cybercriminals, students, faculty, and staff may not be comforted by this. Depending on the number of email accounts accessed, the cyber attackers could have used vulnerabilities in the domain and IP configurations, SMTP authentication controls, number of connections to servers, or a variety of other network security issues.

How Vendor Risk Management Protects Student Records

According to the Stanford Daily, a student on campus found a vulnerability in the third-party content management system, NolijWeb, that allowed Standford applicants to access their Common Application forms. In 2015, NolijWeb began offering students access to their files. However, the system used student identification numbers as part of the records’ URL, meaning that anyone could access information by changing a few characters.

Stanford immediately disabled access to the application and suspended online access to the application documents which are protected by the Family Educational Rights and Privacy Act (FERPA).

Since a user needed an authenticated student login to access the site, the regular audits gave the vendor a clean record. However, this also means neither Stanford nor NolijWeb knew how long the vulnerability existed.

However, this is not the first data breach Stanford suffered in recent years. In 2017, a permissions error in the University-wide file sharing system led any Andrew File System (AFS) users to access sexual assault case preparation files. A month later, a vulnerability in the Graduate School of Business site leaked employee information.

All of these data breaches focus on permissions issues and vulnerabilities inherent in third-party vendors.

Four Steps to Securing Higher Education Data

Identify Risk

All of these breaches began with data storage, transmission, and collection points often overlooked in risk review processes. Colleges and universities know they handle sensitive data. However, increased use of Software-as-a-Solution enablements, whether new vendors or updated legacy systems, transform traditional data into electronic information.

Stanford, for example, had been using NolijWeb for scanned documents since 2009, 6 years before the application allowed students web access to the records. Therefore, the vulnerability may have been a part of the update process or new.

Thus, institutions of higher education need to focus more purposefully on identifying all locations that store, transmit, and collect data. Whether using a new integration or an updated legacy provider, colleges and universities need to be more engaged in the risk identification process.

Secure Networks

Higher education incorporates a variety of networks, creating a complex architecture. Library domains, email servers, and guest wireless connections are only a few of these potentially risky networks.

As more students access data via mobile devices, which often lead to man-in-the-middle attacks, colleges and universities need to be more diligent in establishing controls over those networks to protect data.

Focus on User Access and Authentication

Unlike other industries, higher education experiences annual user turnover. Upon graduation, students should no longer be allowed access to systems, software, and networks. Although alumni often love their alma maters, graduates create access and authentication risks.

Moreover, colleges and universities need to be diligent about enforcing multifactor authentication. A lost smartphone or a laptop left open in the library can lead to unauthorized access. Therefore, whether students and faculty like it or not, higher education needs to be more diligent about protecting access by incorporating additional controls.

Monitor Vendor Risk

In the same way that colleges and universities expect incoming first years to prove academic proficiency, they also need to ensure their vendors prove security proficiency.

After identifying risk, institutions need to make sure that they assess and analyze the risk that third parties pose to information. Any SaaS provider that stores, transmits, or collects student, faculty, and staff information needs to align their security controls with the institution’s risk tolerance. Service-level agreements between the institution and its vendor need to document acceptable controls as well as a consequence for failing to maintain control effectiveness.

How ZenGRC Enables Higher Education

Institutions need an automated process for organizing their security reviews.

With ZenGRC’s task prioritization, everyone knows what to do and when to do it, ensuring efficient review the “to do” lists and “completed tasks” lists.

With our workflow tagging, CISOs can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.

Related Posts

Welcome to the Zen of GRC Welcome to the Zen of GRC - a new voice in the world of governance, risk management, audits, and compliance.
For many companies, the challenges of compliance can be at odds with...

5 tips to implement Agile Compliance Agile companies do things faster. You must be agile yourself, and that means running your compliance effort in an agile way.
About ten years ago, the software development indus...

The Insider's Guide to Compliance:

How To Get Compliant And Advance Your Career

The knowledge in this ebook will fast track your career as an Information Security Compliance expert by delivering time saving steps for understanding where you fit on the compliance spectrum, secrets that help you measure trade offs between growth and compliance, and stress-reducing strategies that will keep your auditors happy.